Old browser version connected to server

Question

I am using securityscorecard.com to security test some web sites. One of the issues it has flagged is "Outdated web browser observed". Full description is as follows...

The web is constantly evolving, using different languages, protocols, and file formats over time. Web browsers regularly release new versions, on time scales as short as every six weeks. These new versions frequently contain security and stability fixes. When a web browser connects to a web server, it informs the server its platform and version information. This information assists the server in providing appropriate content. The information can also be recorded and aggregated to determine what platforms and browser versions are being used by hosts at various places on the Internet. Using such a data set, it was found that an outdated web browser was in use as described in the table below. Note that a single external IP address, such as those in the table below, may correspond to any number of internal hosts. For example, a company firewall or NAT gateway with a single external IP will appear to be the source of an entire network full of corporate desktops.

As far as I understand, it is basically saying that an old vulnerable web browser version is connected to my server.

So my question is... how can an external service see what web browsers are connected / have been connected to my server?

And secondly, I don't see how I can be responsible for what browser version a client uses?

Answer 1

how can an external service see what web browsers are connected / have been connected to my server?

They might be accessing data which was collected from any tracking services you are using (google analytics or an advertising service, for example). Either publicly available information or information they bought.

Alternatively, it is possible that they simply try to access your website with a User-Agent header of an outdated browser to see if they get blocked. If they don't get blocked, they will deduce that since your website is public-facing and since there is still a significant number of internet users who use outdated browsers and since you don't stop them from visiting your website, there must be some of them who indeed browse your website with their malware magnets.

I don't see how I can be responsible for what browser version a client uses?

Outdated web browsers might lack security features which newer browsers have, like protection from cross-origin request forgery, heuristic XSS detection or protection from browser-hijacking malware. If you do things you shouldn't be doing (like integrating arbitrary HTML content from servers not under your control) and assume that the modern web browsers will protect your visitors from anything that could go wrong, then you are putting your visitors in unnecessary danger.

Further, visitors with unsafe software configurations might be infected with malware. That malware might perform actions on your website the user isn't aware of. Online banking trojans, for example. If you are running an online banking website, then a user infected with malware who tries to pay their plumber might send their life savings to hackers in Nigeria instead. That might technically not be your fault, but the user might still try to hold you responsible. A good lawyer might protect you from having to pay for the damages (if you are lucky), but not from the PR fallout.

But what can you do about that?

Well, you could try to detect outdated web browsers by browser fingerprinting and reject them. But it usually goes against your business objectives to reject otherwise desirable customers. The better approach would be to fix those security problems on your website to make sure that even outdated browsers can use it safely. Because, as you reasoned correctly, a public website has no control over the software configuration of its visitors.

OK, but why doesn't the tool report these vulnerabilities instead of telling me to be careful about the browsers people use?

Because the perceived value of such tools is by what they report, not by what they don't report. That's why such tools usually err on the side of caution and tend to over-report irrelevant problems. If the tool just tells you "everything is OK, keep doing what you are already doing", you wouldn't perceive it as very valuable. So they make sure to include a couple tests which result in a couple positives on almost all websites they check, even if the actionable advise which can be taken from these results is minimal.

Answer 2

This finding is not about users connecting to your web servers. If they had access to that data you would have a lot more findings like it and so would the vast majority of companies.

This finding is about connections made from your organization. They could have this data from leaked data sets or their own web servers, most likely by somebody within your organization that was using https://platform.securityscorecard.io. There they have easy access to the UserAgent, since the web server is under their control and they can gather the HTTP headers. Based on the source IP of the request, they will link it to the information they already have on your organization's IP ranges.

To remedy this, check what browsers are used in your internal network that use the IP mentioned by SecurityScorecard externally and update the outdated ones. Then contact SecurityScorecard and inform them that the browser has been updated.